4

.Net 4.5.1 / MVC 5.1.2 / Identity 2.0.1

Greetings,

I needed a way for administrators to disable (can't delete) user accounts so I set the LockoutEndDateUTC field to a future date and I already had the LockoutEnabled field set to true for all users. There's another SO thread, here, that talks about the same method. This obviously works but only if the user has to enter a username/password.

Here's the problem... If the user has set the auth cookie with the "Remember Me" functionality prior to being disabled, the lockout is not being checked and all subsequent visits are authenticated and the "lockout" is ultimately overlooked.

Firstly, I believe this to be a bug in Identity and I've already logged an issue on codeplex.

Second, Is there a better way to disable a user in version 2.0?

Thank you!

Community
  • 1
  • 1
Mike
  • 57
  • 2
  • 5

1 Answers1

7

Locked out users are prevented from logging in, but indeed being locked out does not reject existing cookies, otherwise malicious users could cause the real user's cookie to get rejected otherwise. Of course if you do want this behavior, you can just simply call UpdateSecurityStamp on the user who's locked out in your Login action, this will reject existing cookies the next time they are validated against the database.

Hao Kung
  • 28,040
  • 6
  • 84
  • 93
  • Thank you Hao. I implemented the UpdateSecurityStamp as suggested and it worked perfectly. It's something that only site admins have access to and not part of the auto-lockout methods. Thanks again. – Mike Jun 21 '14 at 00:18